nicolaas

I have been working on a one-stop-shop linter: https://github.com/sunnysideup/silverstripe-easy-coding-standards. I would love you to try on an SS4 project ...

Show 4 attachment(s)
GitHub  
sunnysideup/silverstripe-easy-coding-standards

easy coding standards for Silverstripe projects. Contribute to sunnysideup/silverstripe-easy-coding-standards development by creating an account on GitHub.

GitHub  
sunnysideup/silverstripe-easy-coding-standards

easy coding standards for Silverstripe projects. Contribute to sunnysideup/silverstripe-easy-coding-standards development by creating an account on GitHub.

GitHub  
sunnysideup/silverstripe-easy-coding-standards

easy coding standards for Silverstripe projects. Contribute to sunnysideup/silverstripe-easy-coding-standards development by creating an account on GitHub.

GitHub  
sunnysideup/silverstripe-easy-coding-standards

easy coding standards for Silverstripe projects. Contribute to sunnysideup/silverstripe-easy-coding-standards development by creating an account on GitHub.

Hide attachment content
✔️ (1)
nicolaas

display as a favicon or in some other way?

nicolaas

something bad: print_r(file_get_contents('../../../.env'));

nicolaas

I am wondering if you could end up with code being executed like this: $this->nothing; do something bad here; where $key = 'nothing; do something bad here;'

nicolaas

Well, this code: $this->$key = $value is executed well before it gets to write ... by executed I do not mean send to the DB.

nicolaas

could you craft $this->$key = $value to be something bad if you had control over $key and $value?

nicolaas

You have full control over $record (i.e. you can create any form field - then in DataObject you get this:

  1. foreach ($record as $k => $v) {
  2. // Ensure that ID is stored as a number and not a string
  3. // To do: this kind of clean-up should be done on all numeric fields, in some relatively
  4. // performant manner
  5. if ($v !== null) {
  6. if ($k == 'ID' && is_numeric($v)) {
  7. $this->record[$k] = (int)$v;
  8. } else {
  9. $this->record[$k] = $v;
  10. }
  11. }
  12. }

That does not feel safe to me ... ?

nicolaas

@Firesphere, could I do anything fun as a hacker with the code above?

nicolaas

I am wondering if this is safe:

  1. public function doSubmitFromForm($data, $form)
  2. {
  3. $obj = MyObject::create($data);
  4. }

I would not say it is safe, but maybe it is ... The reason I do not think it is safe is because $data can be anything the hacker wants it to be (AFAIK). Does anyone know: a. if $data arrives at such a form action method "pre-sanitized", and b. if perhaps the "create" function sanitizes the data before it sends it off to the MYSQL database ???